<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">

<title>Hudak&#8217;s Honeypot (Part 1) &#8211; Righteous IT</title>
<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//s2.wp.com' />
<link rel='dns-prefetch' href='//s1.wp.com' />
<link rel='dns-prefetch' href='//s0.wp.com' />
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.pubmine.com' />
<link rel='dns-prefetch' href='//x.bidswitch.net' />
<link rel='dns-prefetch' href='//static.criteo.net' />
<link rel='dns-prefetch' href='//ib.adnxs.com' />
<link rel='dns-prefetch' href='//aax.amazon-adsystem.com' />
<link rel='dns-prefetch' href='//bidder.criteo.com' />
<link rel='dns-prefetch' href='//cas.criteo.com' />
<link rel='dns-prefetch' href='//gum.criteo.com' />
<link rel='dns-prefetch' href='//ads.pubmatic.com' />
<link rel='dns-prefetch' href='//gads.pubmatic.com' />
<link rel='dns-prefetch' href='//tpc.googlesyndication.com' />
<link rel='dns-prefetch' href='//ad.doubleclick.net' />
<link rel='dns-prefetch' href='//googleads.g.doubleclick.net' />
<link rel='dns-prefetch' href='//www.googletagservices.com' />
<link rel='dns-prefetch' href='//cdn.switchadhub.com' />
<link rel='dns-prefetch' href='//delivery.g.switchadhub.com' />
<link rel='dns-prefetch' href='//delivery.swid.switchadhub.com' />
<link rel='dns-prefetch' href='//a.teads.tv' />
<link rel='dns-prefetch' href='//prebid.media.net' />
<link rel='dns-prefetch' href='//adserver-us.adtech.advertising.com' />
<link rel='dns-prefetch' href='//fastlane.rubiconproject.com' />
<link rel='dns-prefetch' href='//prebid-server.rubiconproject.com' />
<link rel='dns-prefetch' href='//hb-api.omnitagjs.com' />
<link rel='dns-prefetch' href='//mtrx.go.sonobi.com' />
<link rel='dns-prefetch' href='//apex.go.sonobi.com' />
<link rel='dns-prefetch' href='//u.openx.net' />
<link rel="alternate" type="application/rss+xml" title="Righteous IT &raquo; Feed" href="https://righteousit.wordpress.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Righteous IT &raquo; Comments Feed" href="https://righteousit.wordpress.com/comments/feed/" />
<link rel="alternate" type="application/rss+xml" title="Righteous IT &raquo; Hudak&#8217;s Honeypot (Part&nbsp;1) Comments Feed" href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/feed/" />
	<script type="text/javascript">
		/* <![CDATA[ */
		function addLoadEvent(func) {
			var oldonload = window.onload;
			if (typeof window.onload != 'function') {
				window.onload = func;
			} else {
				window.onload = function () {
					oldonload();
					func();
				}
			}
		}
		/* ]]> */
	</script>
			<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/72x72\/","ext":".png","svgUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/s2.wp.com\/wp-includes\/js\/wp-emoji-release.min.js?m=1625065786h&ver=5.8.2"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='all-css-0-1' href='https://s1.wp.com/_static/??-eJyNkttuwyAMhl9ohKaqotxMexYOFqM1B2FYxduPZFvHkq3dDdKP/dm/MfwamQo+g8/cFRaxGOuJX6MKjpGzCHWjBkX0xDtMYjDfYEhaaOIGgxS4y+1aJECRQbMYKG/UPQztBYifIUehLmxVu/SvXFOalJBMiyTgb+NxOA4HLotFvdheC8gkUuWUK8KtkPUKi176EHegrQAEtxrpRERRITEEI1QdnPWP8Rbr9Q/ob/Or025mUUPJzCSrN7b/XSKJbL2hB7gKn9hxGOdhZGRdRODaUr7F2O8luoUtT9/uXRT7+e9gH39OypiAiLXT2eJYfm3guvAX9zxOp8M4T6dpPr8Dc6sLSQ==?cssminify=yes' type='text/css' media='all' />
<style id='wp-block-library-inline-css'>
.has-text-align-justify {
	text-align:justify;
}
</style>
<style id='global-styles-inline-css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='all-css-2-1' href='https://s1.wp.com/_static/??/wp-content/themes/pub/libre-2/style.css,/wp-content/themes/pub/libre-2/css/blocks.css?m=1613988684j&cssminify=yes' type='text/css' media='all' />
<link crossorigin="anonymous" rel='stylesheet' id='libre-2-fonts-css'  href='https://fonts.googleapis.com/css?family=Libre+Baskerville%3A400%2C400italic%2C700&#038;subset=latin%2Clatin-ext' media='all' />
<link rel='stylesheet' id='all-css-4-1' href='https://s1.wp.com/_static/??-eJzTLy/QTc7PK0nNK9HPLdUtyClNz8wr1k9PzdfNyU9OLMnMz0Ph6KblJGYW6SUXF+voY9dalJqUk58OZKbrA1UhcUGa7HNtDU1MLU1MLMwNTbIAmkQtqg==?cssminify=yes' type='text/css' media='all' />
<link rel='stylesheet' id='print-css-5-1' href='https://s2.wp.com/wp-content/mu-plugins/global-print/global-print.css?m=1465851035h&cssminify=yes' type='text/css' media='print' />
<style id='jetpack-global-styles-frontend-style-inline-css'>
:root { --font-headings: unset; --font-base: unset; --font-headings-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif; --font-base-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif;}
</style>
<link rel='stylesheet' id='all-css-8-1' href='https://s0.wp.com/_static/??-eJx1zc0OAiEMBOAXstafxejB+CxAWKgplFDIxrdXD3sw6mkyyXwZXCp4KT2UjnlA5RGpKFbRDjNbaqjJNipxza1X3eBvpeLJMrBE+SxfqKeQw+tmOGRyLcABqXjU/uAAS/WS/5E0YWRxlt+DW77uT8ezMTtzme5Px85KmQ==?cssminify=yes' type='text/css' media='all' />
<script id='jetpack_related-posts-js-extra'>
var related_posts_js_options = {"post_heading":"h4"};
</script>
<script id='wpcom-actionbar-placeholder-js-extra'>
var actionbardata = {"siteID":"6525939","siteURL":"http:\/\/righteousit.wordpress.com","xhrURL":"https:\/\/righteousit.wordpress.com\/wp-admin\/admin-ajax.php","nonce":"c7dce5aac2","isLoggedIn":"","statusMessage":"","subsEmailDefault":"instantly","proxyScriptUrl":"https:\/\/s0.wp.com\/wp-content\/js\/wpcom-proxy-request.js?ver=20211021","shortlink":"https:\/\/wp.me\/prnH5-7w","i18n":{"followedText":"New posts from this site will now appear in your <a href=\"https:\/\/wordpress.com\/read\">Reader<\/a>","foldBar":"Collapse this bar","unfoldBar":"Expand this bar"}};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/_static/??-eJyFjksOwjAMRC+EGxAVFQvEWdLERInyw07U9vYEQVHVDSvLnjczFlMGlWLBWIRjEdJoPUJlJGnaDWx8pM7xQWy4UCH7amxkQehlQQ05cdlte1dLJ18gU5qXVbNR+aqR36J7VqTlO7pg418IgjXUCrfw2jb6ZH5fTom01AzKS+ZPkAoZuNSx+e7hdrqch+HY99fBvQAktWVR'></script>
<script type='text/javascript'>
	window.addEventListener( 'DOMContentLoaded', function() {
		rltInitialize( {"token":null,"iframeOrigins":["https:\/\/widgets.wp.com"]} );
	} );
</script>
<link rel='stylesheet' id='all-css-0-2' href='https://s0.wp.com/wp-content/mu-plugins/highlander-comments/style.css?m=1638269982h&cssminify=yes' type='text/css' media='all' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://righteousit.wordpress.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://s1.wp.com/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress.com" />
<link rel="canonical" href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/" />
<link rel='shortlink' href='https://wp.me/prnH5-7w' />
<link rel="alternate" type="application/json+oembed" href="https://public-api.wordpress.com/oembed/?format=json&amp;url=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F20%2Fhudaks-honeypot-part-1%2F&amp;for=wpcom-auto-discovery" /><link rel="alternate" type="application/xml+oembed" href="https://public-api.wordpress.com/oembed/?format=xml&amp;url=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F20%2Fhudaks-honeypot-part-1%2F&amp;for=wpcom-auto-discovery" />
<!-- Jetpack Open Graph Tags -->
<meta property="og:type" content="article" />
<meta property="og:title" content="Hudak&#8217;s Honeypot (Part 1)" />
<meta property="og:url" content="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/" />
<meta property="og:description" content="Recently Tyler Hudak (@SecShoggoth) tweeted: Oh Tyler, you had me at #Ubuntu! Tyler provided a link to the files and I grabbed them. Here&#8217;s the included readme.txt, just to set the scene: Thi…" />
<meta property="article:published_time" content="2021-12-20T12:30:00+00:00" />
<meta property="article:modified_time" content="2021-12-20T02:48:22+00:00" />
<meta property="og:site_name" content="Righteous IT" />
<meta property="og:image" content="https://s0.wp.com/i/blank.jpg" />
<meta property="og:image:alt" content="" />
<meta property="og:locale" content="en_US" />
<meta name="twitter:text:title" content="Hudak&#8217;s Honeypot (Part&nbsp;1)" />
<meta name="twitter:card" content="summary" />
<meta property="fb:app_id" content="249643311490" />
<meta property="article:publisher" content="https://www.facebook.com/WordPresscom" />

<!-- End Jetpack Open Graph Tags -->
<link rel="shortcut icon" type="image/x-icon" href="https://s1.wp.com/i/favicon.ico" sizes="16x16 24x24 32x32 48x48" />
<link rel="icon" type="image/x-icon" href="https://s1.wp.com/i/favicon.ico" sizes="16x16 24x24 32x32 48x48" />
<link rel="apple-touch-icon" href="https://s2.wp.com/i/webclip.png" />
<link rel='openid.server' href='https://righteousit.wordpress.com/?openidserver=1' />
<link rel='openid.delegate' href='https://righteousit.wordpress.com/' />
<link rel="search" type="application/opensearchdescription+xml" href="https://righteousit.wordpress.com/osd.xml" title="Righteous IT" />
<link rel="search" type="application/opensearchdescription+xml" href="https://s1.wp.com/opensearch.xml" title="WordPress.com" />
<link rel="pingback" href="https://righteousit.wordpress.com/xmlrpc.php"><meta name="application-name" content="Righteous IT" /><meta name="msapplication-window" content="width=device-width;height=device-height" /><meta name="msapplication-tooltip" content="Join the crusade!" /><meta name="msapplication-task" content="name=Subscribe;action-uri=https://righteousit.wordpress.com/feed/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=Sign up for a free blog;action-uri=http://wordpress.com/signup/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Support;action-uri=http://support.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Forums;action-uri=http://forums.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="description" content="Recently Tyler Hudak (@SecShoggoth) tweeted: https://twitter.com/SecShoggoth/status/1468618295372922880 Oh Tyler, you had me at #Ubuntu! Tyler provided a link to the files and I grabbed them. Here&#039;s the included readme.txt, just to set the scene: This Ubuntu Linux honeypot was put online in Azure in early October with the sole purpose of watching what happens with those&hellip;" />
		<script type="text/javascript">

			window.doNotSellCallback = function() {

				var linkElements = [
					'a[href="https://wordpress.com/?ref=footer_blog"]',
					'a[href="https://wordpress.com/?ref=footer_website"]',
					'a[href="https://wordpress.com/?ref=vertical_footer"]',
					'a[href^="https://wordpress.com/?ref=footer_segment_"]',
				].join(',');

				var dnsLink = document.createElement( 'a' );
				dnsLink.href = 'https://wordpress.com/advertising-program-optout/';
				dnsLink.classList.add( 'do-not-sell-link' );
				dnsLink.rel = 'nofollow';
				dnsLink.style.marginLeft = '0.5em';
				dnsLink.textContent = 'Do Not Sell My Personal Information';

				var creditLinks = document.querySelectorAll( linkElements );

				if ( 0 === creditLinks.length ) {
					return false;
				}

				Array.prototype.forEach.call( creditLinks, function( el ) {
					el.insertAdjacentElement( 'afterend', dnsLink );
				});

				return true;
			};

		</script>
		<script id="cmp-configuration" type="application/configuration">{"gvlVersion":"122","consentLanguage":"EN","locale":"en","vendorsAll":"BDlr_6__7a_s_3_f__9ujzGr_v9e9_yGccL5tv3gu5f635ei_-wnZou_VNXBVyPEl27YJCAto5k6iak2LVEqteY9jUmzlORpRPZck09jL2zrAw9p8_sqfzJTPf_f__7_e-f___v_2_ue__r___7v__3__38____v_____________________-_A","vendorsLegInterest":"BDkAkw1LyALsyxwZNo0qhRAjCsJCoBQAUUAwtEVgA4OCnZWAT6ghYAITUBGBECDEFGDAIAABIAkIiAkALBAIgCIBAACAFCAhAARMAgsALAwCAAUA0LECKAIQJCDI4KjlMCAqRaKCWysQSgr2NMIAy3wIoFE9FQgI1miBYGQkLBzHAEgJeLJA8wRA","ajaxNonce":"7a20e2dd1d","modulePath":"https:\/\/s1.wp.com\/wp-content\/blog-plugins\/wordads-classes\/js\/","gvlPath":"https:\/\/public-api.wordpress.com\/wpcom\/v2\/sites\/6525939\/cmp\/vendors\/en\/","_":{"title":"Privacy & Cookies","intro":"We, WordPress.com, and our advertising partners store and\/or access information on your device and also process personal data, like unique identifiers, browsing activity, and other standard information sent by your device including your IP address. This information is collected over time and used for personalised ads, ad measurement, audience insights, and product development specific to our ads program. If this sounds good to you, select \"I Agree!\" below.  Otherwise, you can get more information, customize your consent preferences, or decline consent by selecting \"Learn More\". Note that your preferences apply to all websites in the <a href=\"https:\/\/automattic.com\/cookies\/#user-ads-consent\" target=\"_blank\">WordPress.com network<\/a>, and if you change your mind in the future you can update your preferences anytime by visiting the Privacy link displayed under each ad. One last thing, our partners may process some of your data based on legitimate interests instead of consent but you can object to that by choosing \"Learn More\" and then disabling the Legitimate Interests toggle under any listed Purpose or Partner.","config":"Learn More","accept":"I Agree!","viewPartners":"View Partners","error":"We're sorry but an unexpected error occurred. Please try again later."}}</script>		<script type="text/javascript">
		function __ATA_CC() {var v = document.cookie.match('(^|;) ?personalized-ads-consent=([^;]*)(;|$)');return v ? 1 : 0;}
		var __ATA_PP = { 'pt': 1, 'ht': 0, 'tn': 'libre-2', 'uloggedin': 0, 'amp': false, 'consent': __ATA_CC(), 'gdpr_applies': true, 'ad': { 'label': { 'text': 'Advertisements' }, 'reportAd': { 'text': 'Report this ad' }, 'privacySettings': { 'text': 'Privacy', 'onClick': function() { window.__tcfapi && window.__tcfapi( 'showUi' ) } } }, 'siteid': 8982, 'blogid': 6525939, 'js_hint': 'tcf2_test' };
		var __ATA = __ATA || {};
		__ATA.cmd = __ATA.cmd || [];
		__ATA.criteo = __ATA.criteo || {};
		__ATA.criteo.cmd = __ATA.criteo.cmd || [];
		</script>
		<script type="text/javascript">
		(function(){var g=Date.now||function(){return+new Date};function h(a,b){a:{for(var c=a.length,d="string"==typeof a?a.split(""):a,e=0;e<c;e++)if(e in d&&b.call(void 0,d[e],e,a)){b=e;break a}b=-1}return 0>b?null:"string"==typeof a?a.charAt(b):a[b]};function k(a,b,c){c=null!=c?"="+encodeURIComponent(String(c)):"";if(b+=c){c=a.indexOf("#");0>c&&(c=a.length);var d=a.indexOf("?");if(0>d||d>c){d=c;var e=""}else e=a.substring(d+1,c);a=[a.substr(0,d),e,a.substr(c)];c=a[1];a[1]=b?c?c+"&"+b:b:c;a=a[0]+(a[1]?"?"+a[1]:"")+a[2]}return a};var l=0;function m(a,b){var c=document.createElement("script");c.src=a;c.onload=function(){b&&b(void 0)};c.onerror=function(){b&&b("error")};a=document.getElementsByTagName("head");var d;a&&0!==a.length?d=a[0]:d=document.documentElement;d.appendChild(c)}function n(a){var b=void 0===b?document.cookie:b;return(b=h(b.split("; "),function(c){return-1!=c.indexOf(a+"=")}))?b.split("=")[1]:""}function p(a){return"string"==typeof a&&0<a.length}
		function r(a,b,c){b=void 0===b?"":b;c=void 0===c?".":c;var d=[];Object.keys(a).forEach(function(e){var f=a[e],q=typeof f;"object"==q&&null!=f||"function"==q?d.push(r(f,b+e+c)):null!==f&&void 0!==f&&(e=encodeURIComponent(b+e),d.push(e+"="+encodeURIComponent(f)))});return d.filter(p).join("&")}function t(a,b){a||((window.__ATA||{}).config=b.c,m(b.url))}var u=Math.floor(1E13*Math.random()),v=window.__ATA||{};window.__ATA=v;window.__ATA.cmd=v.cmd||[];v.rid=u;v.createdAt=g();var w=window.__ATA||{},x="s.pubmine.com";
		w&&w.serverDomain&&(x=w.serverDomain);var y="//"+x+"/conf",z=window.top===window,A=window.__ATA_PP&&window.__ATA_PP.gdpr_applies,B="boolean"===typeof A?Number(A):null,C=window.__ATA_PP||null,D=z?document.referrer?document.referrer:null:null,E=z?window.location.href:document.referrer?document.referrer:null,F,G=n("__ATA_tuuid");F=G?G:null;var H=window.innerWidth+"x"+window.innerHeight,I=n("usprivacy"),J=r({gdpr:B,pp:C,rid:u,src:D,ref:E,tuuid:F,vp:H,us_privacy:I?I:null},"",".");
		(function(a){var b=void 0===b?"cb":b;l++;var c="callback__"+g().toString(36)+"_"+l.toString(36);a=k(a,b,c);window[c]=function(d){t(void 0,d)};m(a,function(d){d&&t(d)})})(y+"?"+J);}).call(this);
		</script><link rel="amphtml" href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/amp/"><script type="text/javascript">
	window.google_analytics_uacct = "UA-52447-2";
</script>

<script type="text/javascript">
	var _gaq = _gaq || [];
	_gaq.push(['_setAccount', 'UA-52447-2']);
	_gaq.push(['_gat._anonymizeIp']);
	_gaq.push(['_setDomainName', 'wordpress.com']);
	_gaq.push(['_initData']);
	_gaq.push(['_trackPageview']);

	(function() {
		var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
		ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
		(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga);
	})();
</script>
</head>

<body class="post-template-default single single-post postid-466 single-format-standard wp-embed-responsive customizer-styles-applied no-sidebar singular highlander-enabled highlander-light">
<div class="site-wrapper">
	<div id="page" class="hfeed site">
		<a class="skip-link screen-reader-text" href="#content">Skip to content</a>
				<header id="masthead" class="site-header" role="banner">
			<div class="site-branding">
																						<p class="site-title"><a href="https://righteousit.wordpress.com/" rel="home">Righteous IT</a></p>
										<p class="site-description">Join the crusade!</p>
							</div><!-- .site-branding -->

			<div class="nav-wrapper">
				<nav id="site-navigation" class="main-navigation" role="navigation">
					<button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false">&#9776; Menu</button>
					<div id="primary-menu" class="menu"><ul>
<li class="page_item page-item-2"><a href="https://righteousit.wordpress.com/about/">About</a></li>
</ul></div>
									</nav><!-- #site-navigation -->

							</div>

		</header><!-- #masthead -->

		<div id="content" class="site-content">

	<div id="primary" class="content-area">
		<main id="main" class="site-main" role="main">

		
			
<article id="post-466" class="post-466 post type-post status-publish format-standard hentry category-uncategorized tag-dfir tag-forensics tag-linux">
		<header class="entry-header">
		<h1 class="entry-title">Hudak&#8217;s Honeypot (Part&nbsp;1)</h1>
		<div class="entry-meta">
			<span class="posted-on">Posted on <a href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/" rel="bookmark"><time class="entry-date published" datetime="2021-12-20T05:30:00-07:00">December 20, 2021</time><time class="updated" datetime="2021-12-19T19:48:22-07:00">December 19, 2021</time></a></span><span class="byline"> by <span class="author vcard"><a class="url fn n" href="https://righteousit.wordpress.com/author/halpomeranz/">Hal Pomeranz</a></span></span>		</div><!-- .entry-meta -->
	</header><!-- .entry-header -->

	<div class="entry-content">
		
<p>Recently Tyler Hudak (@SecShoggoth) tweeted:</p>



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<div class="embed-twitter"><blockquote class="twitter-tweet" data-width="550" data-dnt="true"><p lang="en" dir="ltr">Quick question to the <a href="https://twitter.com/hashtag/dfir?src=hash&amp;ref_src=twsrc%5Etfw">#dfir</a> community. A few months (yes months) ago I put up an <a href="https://twitter.com/hashtag/Ubuntu?src=hash&amp;ref_src=twsrc%5Etfw">#Ubuntu</a> <a href="https://twitter.com/hashtag/honeypot?src=hash&amp;ref_src=twsrc%5Etfw">#honeypot</a> with apache remote code execution&#8230;and forgot about it until now. Yes, it is pwned. Anyone want the disk and memory from it to play with?</p>&mdash; Tyler Hudak (@SecShoggoth) <a href="https://twitter.com/SecShoggoth/status/1468618295372922880?ref_src=twsrc%5Etfw">December 8, 2021</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></div>
</div></figure>



<p>Oh Tyler, you had me at #Ubuntu! Tyler provided <a href="https://drive.google.com/drive/folders/1CikK__51p8hXy2KHcy3iJiM-lnNw9f4C" target="_blank" rel="noreferrer noopener">a link to the files</a> and I grabbed them. Here&#8217;s the included readme.txt, just to set the scene:</p>



<pre class="wp-block-code"><code>This Ubuntu Linux honeypot was put online in Azure in early October with the sole purpose of watching what happens with those exploiting CVE-2021-41773.

Initially there was a large amount of cryptominers that hit the system. You will see one cron script that is meant to remove files named kinsing in /tmp. This was my way of preventing these miners so more interesting things could occur.

Then, as with many things, I got busy and forgot about it. Fast forward to now (early December) and I remembered it was still up. I logged on and saw CPU usage through the roof. Instead of just shutting it down, I grabbed a disk snapshot, memory snapshot, and ran a tool named UAC (https://github.com/tclahr/uac) to grab live response. The results of this are in this directory.

There are three files:

- sdb.vhd.gz - VHD of the main drive obtained through an Azure disk snapshot
- ubuntu.20211208.mem.gz - Dump of memory using Lime
- uac.tgz - Results of UAC running on the system

Items were obtained in the order above - drive was snapshotted, memory was grabbed, then UAC was run.

Please feel free to share this. All I ask is that if you do any analysis to share it with the community.

If anyone would like to offer a more permanent home for the files, please let me know.

Thanks!

Tyler Hudak</code></pre>



<p>Before going any farther, I wanted to find the cron job that Tyler mentions just so I wouldn&#8217;t be confused by his cleanup tool versus actual intruder activity. There is an entry in /var/spool/cron/crontabs/root that invokes /root/.remove.sh every minute. /root/.remove.sh is simple enough:</p>



<pre class="wp-block-code"><code>#!/bin/bash

for PID in `ps -ef | egrep "kinsing|kdevtmp" | grep "/tmp"  | awk '{ print $2 }'`
do
        kill -9 $PID
done

chown root.root /tmp/k*
chmod 444 /tmp/k*</code></pre>



<p>We find a large number of /tmp/kinsing_* files and a couple of /tmp/kdevtmp* files. I did a quick verification that these were Kinsing and XMRig coin miners respectively, and then forgot all about them. There&#8217;s much more interesting stuff to look at in this image!</p>



<h2 id="other-strange-files-in-var-tmp">Other Strange Files in [/var]/tmp</h2>



<p>While looking at Tyler&#8217;s cron job and its impact on the system, I couldn&#8217;t help noticing a couple of other interesting artifacts in the /tmp and /var/tmp directories.</p>



<ul><li>/var/tmp/dk86 was created 2021-11-11 19:09:51 UTC. The file is owned by user &#8220;daemon&#8221;&#8211;unsurprisingly, this is the user the web server on the machine runs as. I&#8217;ll dive into this file in more detail in a future blog post.</li><li>/tmp/Mozi.a and /tmp/Mozi.tm were both created on 2021-10-13. Mozi.a has a creation time of 13:45:20 and is owned by the root user. Mozi.tm appears at 13:45:48 and is owned by &#8220;azureuser&#8221; (UID 1000). Looking at /home/azureuser/.bash_history, I think these files were intentionally created by Tyler during some of his early research into ongoing attacks on the machine (correct me if I&#8217;m wrong, Tyler!). So I chose to ignore them.</li></ul>



<h2 id="looking-into-uac">Looking into UAC</h2>



<p>I&#8217;ve never used the UAC tool before, so I decided to start my investigation with that data and see how much useful information I could extract. The short answer is I found it very useful, particularly the process information collected by the tool in the &#8230;/liveresponse/process output directory.</p>



<p>lsof is one of my favorite Linux forensic tools, so I started with the &#8220;lsof_-nPl.txt&#8221; file. In particular, I started by looking at the current working directories of processes, for ones that looked abnormal. Here&#8217;s a subset of the output:</p>



<pre class="wp-block-code"><code># <strong>grep cwd lsof_-nPl.txt | grep -v '2 /'</strong>
cron       1029              0  cwd       DIR               8,17     4096      68440 /var/spool/cron
bash       4205           1000  cwd       DIR               8,17     4096     527081 /home/azureuser/src/LiME/src
sleep      6388              1  cwd       DIR               8,17        0     528743 /var/tmp/.log/101068/.spoollog (deleted)
uac        6445              0  cwd       DIR               8,17     4096     528610 /root/uac
uac        7755              0  cwd       DIR               8,17     4096     528610 /root/uac
lsof       7978              0  cwd       DIR               8,17     4096     528610 /root/uac
lsof       7984              0  cwd       DIR               8,17     4096     528610 /root/uac
sudo       9303              0  cwd       DIR               8,17     4096     527081 /home/azureuser/src/LiME/src
su         9314              0  cwd       DIR               8,17     4096     527081 /home/azureuser/src/LiME/src
bash       9331              0  cwd       DIR               8,17     4096     528610 /root/uac
sh        15853              1  cwd       DIR               8,17    12288       4059 /tmp
sh        20645              1  cwd       DIR               8,17        0     528743 /var/tmp/.log/101068/.spoollog (deleted)
sh        21785              1  cwd       DIR               8,17    12288       4059 /tmp
python3   27968              0  cwd       DIR               8,17     4096    1552795 /var/lib/waagent/WALinuxAgent-2.5.0.2
python3   27968 28623        0  cwd       DIR               8,17     4096    1552795 /var/lib/waagent/WALinuxAgent-2.5.0.2
python3   27968 28625        0  cwd       DIR               8,17     4096    1552795 /var/lib/waagent/WALinuxAgent-2.5.0.2
python3   27968 28627        0  cwd       DIR               8,17     4096    1552795 /var/lib/waagent/WALinuxAgent-2.5.0.2
python3   27968 28630        0  cwd       DIR               8,17     4096    1552795 /var/lib/waagent/WALinuxAgent-2.5.0.2</code></pre>



<p>PIDs 20645 and 6388 are running from the deleted /var/tmp/.log/101068/.spoollog directory, so they are immediately of interest. I also noted shell processes&#8211; PIDs 15853 and 21785&#8211; running from /tmp. That also looks a bit strange to me. Note that all of the suspicious processes are running as UID 1, the &#8220;daemon&#8221; user (see /etc/passwd from the system disk image to confirm).</p>



<p>What else is running as &#8220;daemon&#8221;? Let&#8217;s take a look at the &#8220;ps_-ef.txt&#8221; file created by UAC:</p>



<pre class="wp-block-code"><code># <strong>awk '$1 == "daemon"' ps_-ef.txt</strong>
daemon    1003     1  0 Oct09 ?        00:00:00 /usr/sbin/atd -f
daemon    1693   801  0 Nov18 ?        00:00:48 /usr/sbin/httpd -k start
daemon    1813   801  0 Nov18 ?        00:00:40 /usr/sbin/httpd -k start
daemon    2539   801  0 Nov18 ?        00:00:39 /usr/sbin/httpd -k start
daemon    2632   801  0 Nov18 ?        00:01:23 /usr/sbin/httpd -k start
daemon    6388 20645  0 18:50 ?        00:00:00 sleep 300
daemon    6803 21785  0 18:51 ?        00:00:00 sleep 30
daemon    6830 15853  0 18:51 ?        00:00:00 sleep 30
daemon   15851     1  0 Nov30 ?        00:00:00 /bin/bash
daemon   15853 15851  0 Nov30 ?        00:25:04 sh
daemon   20645     1  0 Nov14 ?        03:01:59 sh .src.sh
daemon   21783     1  0 Nov30 ?        00:00:00 /bin/bash
daemon   21785 21783  0 Nov30 ?        00:25:02 sh
daemon   24330     1 49 Dec05 ?        1-16:41:54 agettyd -c noresetd</code></pre>



<p>We see the web server on the system running as &#8220;daemon&#8221;. Unless the attackers bring along a privilege escalation tool, it&#8217;s likely their exploits are going to end up running as this user. /usr/sbin/atd running as &#8220;daemon&#8221; is typical for this Linux, so I&#8217;ll ignore that process. But there&#8217;s an interesting story being told by the other processes in the above listing.</p>



<p>On November 14, PID 20645 starts PID 6388 (observe the PPID on PID 6388). These were the processes we saw above that were running from the deleted /var/tmp/.log/101068/.spoollog directory. Also note that PID 20645 was apparently started as &#8220;sh .src.sh&#8221; which is definitely a suspicious command line.</p>



<p>UAC also captures some data from /proc for each process. The &#8230;/proc/20645/environ.txt file has some interesting details. I&#8217;ve extracted and reordered the most interesting data below:</p>



<pre class="wp-block-code"><code>REMOTE_ADDR=116.202.187.77
REMOTE_PORT=56590
HTTP_USER_AGENT=curl/7.79.1

HOME=/var/tmp/.log/101068/.spoollog/.api
PWD=/var/tmp/.log/101068/.spoollog
OLDPWD=/var/tmp
PYTHONUSERBASE=/var/tmp/.log/101068/.spoollog/.api/.mnc

REQUEST_METHOD=POST
REQUEST_URI=/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
SCRIPT_NAME=/cgi-bin/../../../../bin/sh
SCRIPT_FILENAME=/bin/sh
CONTEXT_PREFIX=/cgi-bin/
CONTEXT_DOCUMENT_ROOT=/usr/lib/cgi-bin/</code></pre>



<p>The request URI is typical of the CVE-2021-41773 RCE. We see the IP address and port used by the requestor&#8211; probably a VPN tunnel endpoint or Tor node and not the attacker&#8217;s actual IP address. We also have a user agent string which indicates that this was likely a scripted attack&#8211; curl is a command-line web client. The directories referenced in environment variables tie back to the deleted /var/tmp/.log/101068/.spoollog directory that was the CWD of these processes. So these are definitely worth digging deeper into in a future blog post.</p>



<p>There are two different, but very similar process hierarchies starting  on Nov 30. Bash process 15851 starts sh process 15853 which runs sleep process 6830. Similarly, bash process 21783 starts shell process 21785 which runs sleep process 6803. The environ.txt files for these processes are nearly identical. PID 15851 was triggered from IP 5.2.72.226:47374, while PID 21783 was started by a request from 104.244.76.13:36748. All the other data is the same, so likely the same exploit was used&#8211;possibly by the same attacker:</p>



<pre class="wp-block-code"><code>HTTP_USER_AGENT=curl/7.79.1
REQUEST_METHOD=POST
REQUEST_URI=/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/bash
SCRIPT_NAME=/cgi-bin/../../../../../../../bin/bash</code></pre>



<p>That leaves our mysterious agetty process from Dec 5. Using the &#8220;running_processes_full_paths.txt&#8221; data dumped by UAC, you can see this process is running from the deleted /tmp/agettyd binary, which is very abnormal. But when we look at the &#8220;environ.txt&#8221; data, it&#8217;s easy to see that this process is related to the PID 15851 process hierarchy from Nov 30.</p>



<pre class="wp-block-code"><code>REMOTE_ADDR=5.2.72.226
REMOTE_PORT=47374
HTTP_USER_AGENT=curl/7.79.1

REQUEST_METHOD=POST
REQUEST_URI=/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/bash
SCRIPT_NAME=/cgi-bin/../../../../../../../bin/bash</code></pre>



<p>IP address, port, user agent, and all of the details of the request match perfectly with the information related to PID 15851. Clearly we will need to drill into this in more detail in a future blog post.</p>



<h2 id="coming-soon">Coming Soon</h2>



<p>Based on the triage I&#8217;ve done so far, my investigation has three main threads:</p>



<ol><li>Where is /var/tmp/dk86 come from and what is it?</li><li>What is the origin of the processes running from the deleted /var/tmp/.log/101068/.spoollog and how did the directory end up getting deleted?</li><li>Can we tell if the requests from 5.2.72.226 and 104.244.76.13 independent actors or the same attacker using multiple IPs? How did the /tmp/agettyd process get created?</li></ol>



<p>We&#8217;ll investigate these questions more deeply in upcoming blog posts.</p>
<div id="atatags-370373-61c515ea02fc5">
        <script type="text/javascript">
            __ATA.cmd.push(function() {
                __ATA.initVideoSlot('atatags-370373-61c515ea02fc5', {
                    sectionId: '370373',
                    format: 'inread'
                });
            });
        </script>
    </div>			<div id="atatags-26942-61c515ea03001"></div>
			
			<script>
				__ATA.cmd.push(function() {
					__ATA.initDynamicSlot({
						id: 'atatags-26942-61c515ea03001',
						location: 120,
						formFactor: '001',
						label: {
							text: 'Advertisements',
						},
						creative: {
							reportAd: {
								text: 'Report this ad',
							},
							privacySettings: {
								text: 'Privacy',
								onClick: function() { window.__tcfapi && window.__tcfapi( 'showUi' ); },
							}
						}
					});
				});
			</script><div id="jp-post-flair" class="sharedaddy sd-like-enabled sd-sharing-enabled"><div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-466" class="share-twitter sd-button share-icon" href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/?share=twitter" target="_blank" title="Click to share on Twitter"><span>Twitter</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-466" class="share-facebook sd-button share-icon" href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/?share=facebook" target="_blank" title="Click to share on Facebook"><span>Facebook</span></a></li><li class="share-end"></li></ul></div></div></div><div class='sharedaddy sd-block sd-like jetpack-likes-widget-wrapper jetpack-likes-widget-unloaded' id='like-post-wrapper-6525939-466-61c515ea03a40' data-src='//widgets.wp.com/likes/index.html?ver=20211208#blog_id=6525939&amp;post_id=466&amp;origin=righteousit.wordpress.com&amp;obj_id=6525939-466-61c515ea03a40' data-name='like-post-frame-6525939-466-61c515ea03a40' data-title='Like or Reblog'><h3 class='sd-title'>Like this:</h3><div class='likes-widget-placeholder post-likes-widget-placeholder' style='height: 55px;'><span class='button'><span>Like</span></span> <span class="loading">Loading...</span></div><span class='sd-text-color'></span><a class='sd-link-color'></a></div>
<div id='jp-relatedposts' class='jp-relatedposts' >
	<h3 class="jp-relatedposts-headline"><em>Related</em></h3>
</div></div>			</div><!-- .entry-content -->

	<footer class="entry-footer">
		<span class="cat-links">Posted in <a href="https://righteousit.wordpress.com/category/uncategorized/" rel="category tag">Uncategorized</a></span><span class="tags-links">Tagged <a href="https://righteousit.wordpress.com/tag/dfir/" rel="tag">DFIR</a>, <a href="https://righteousit.wordpress.com/tag/forensics/" rel="tag">Forensics</a>, <a href="https://righteousit.wordpress.com/tag/linux/" rel="tag">Linux</a></span>	</footer><!-- .entry-footer -->

		<div class="entry-author author-avatar-show">
				<div class="author-avatar">
			<img alt='' src='https://1.gravatar.com/avatar/7f07475b144c99087d9684285559d8b8?s=100&#038;d=https%3A%2F%2F1.gravatar.com%2Favatar%2Fad516503a11cd5ca435acc9bb6523536%3Fs%3D100' class='avatar avatar-100' height='100' width='100' />		</div><!-- .author-avatar -->
		
		<div class="author-heading">
			<h2 class="author-title">Published by <span class="author-name">Hal Pomeranz</span></h2>
		</div><!-- .author-heading -->

		<p class="author-bio">
			Independent Computer Forensics and Information Security consultant.  Expert Witness. Trainer.			<a class="author-link" href="https://righteousit.wordpress.com/author/halpomeranz/" rel="author">
				View all posts by Hal Pomeranz			</a>
		</p><!-- .author-bio -->
	</div><!-- .entry-auhtor -->
</article><!-- #post-## -->

			
	<nav class="navigation post-navigation" role="navigation" aria-label="Posts">
		<h2 class="screen-reader-text">Post navigation</h2>
		<div class="nav-links"><div class="nav-previous"><a href="https://righteousit.wordpress.com/2018/06/06/xfs-part-5-multi-block-directories/" rel="prev"><span class="meta-nav">Previous Post</span> XFS (Part 5) &#8211; Multi-Block&nbsp;Directories</a></div><div class="nav-next"><a href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/" rel="next"><span class="meta-nav">Next Post</span> Hudak&#8217;s Honeypot (Part&nbsp;2)</a></div></div>
	</nav>
			
<div id="comments" class="comments-area">

	
			<h2 class="comments-title">
			1 thought on &ldquo;Hudak&#8217;s Honeypot (Part&nbsp;1)&rdquo;		</h2><!-- .comments-title -->

		<ol class="comment-list">
					<li id="comment-362" class="pingback even thread-even depth-1 highlander-comment">
			<article id="div-comment-362" class="comment-body">
				<footer class="comment-meta">
					<div class="comment-metadata">
						<span class="comment-author vcard">
							
							<b class="fn"><a href='https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/' rel='external nofollow ugc' class='url'>Hudak&#8217;s Honeypot (Part 2) &#8211; Righteous IT</a></b>						</span>
						<a href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/#comment-362">
							<time datetime="2021-12-21T05:30:11-07:00">
								<span class="comment-date">December 21, 2021</span><span class="comment-time screen-reader-text">5:30 am</span>							</time>
						</a>
												
					</div><!-- .comment-metadata -->

									</footer><!-- .comment-meta -->

				<div class="comment-content">
					<p>[&#8230;] This is Part 2 in a series. Part 1 is here. [&#8230;]</p>
				</div><!-- .comment-content -->

			</article><!-- .comment-body -->
	</li><!-- #comment-## -->
		</ol><!-- .comment-list -->

		
	
	
		<div id="respond" class="comment-respond">
		<h3 id="reply-title" class="comment-reply-title">Leave a Reply <small><a rel="nofollow" id="cancel-comment-reply-link" href="/2021/12/20/hudaks-honeypot-part-1/#respond" style="display:none;">Cancel reply</a></small></h3><form action="https://righteousit.wordpress.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate><input type="hidden" id="highlander_comment_nonce" name="highlander_comment_nonce" value="ccb56ca65b" /><input type="hidden" name="_wp_http_referer" value="/2021/12/20/hudaks-honeypot-part-1/" />
<input type="hidden" name="hc_post_as" id="hc_post_as" value="guest" />

<div class="comment-form-field comment-textarea">
	<label for="comment">Enter your comment here...</label>
	<div id="comment-form-comment"><textarea id="comment" name="comment" title="Enter your comment here..."></textarea></div>
</div>

<div id="comment-form-identity">
	<div id="comment-form-nascar">
		<p>Fill in your details below or click an icon to log in:</p>
		<ul>
			<li class="selected" style="display:none;">
				<a href="#comment-form-guest" id="postas-guest" class="nascar-signin-link"
                   title="Login via Guest">
									</a>
			</li>
			<li>
				<a href="#comment-form-load-service:WordPress.com" id="postas-wordpress" class="nascar-signin-link"
                   title="Login via WordPress.com">
					<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#0087be" d="M12.158 12.786l-2.698 7.84c.806.236 1.657.365 2.54.365 1.047 0 2.05-.18 2.986-.51-.024-.037-.046-.078-.065-.123l-2.762-7.57zM3.008 12c0 3.56 2.07 6.634 5.068 8.092L3.788 8.342c-.5 1.117-.78 2.354-.78 3.658zm15.06-.454c0-1.112-.398-1.88-.74-2.48-.456-.74-.883-1.368-.883-2.11 0-.825.627-1.595 1.51-1.595.04 0 .078.006.116.008-1.598-1.464-3.73-2.36-6.07-2.36-3.14 0-5.904 1.613-7.512 4.053.21.008.41.012.58.012.94 0 2.395-.114 2.395-.114.484-.028.54.684.057.74 0 0-.487.058-1.03.086l3.275 9.74 1.968-5.902-1.4-3.838c-.485-.028-.944-.085-.944-.085-.486-.03-.43-.77.056-.742 0 0 1.484.114 2.368.114.94 0 2.397-.114 2.397-.114.486-.028.543.684.058.74 0 0-.488.058-1.03.086l3.25 9.665.897-2.997c.456-1.17.684-2.137.684-2.907zm1.82-3.86c.04.286.06.593.06.924 0 .912-.17 1.938-.683 3.22l-2.746 7.94c2.672-1.558 4.47-4.454 4.47-7.77 0-1.564-.4-3.033-1.1-4.314zM12 22C6.486 22 2 17.514 2 12S6.486 2 12 2s10 4.486 10 10-4.486 10-10 10z"/></g></svg>				</a>
			</li>
			<li>
			<iframe id="googleplus-sign-in" name="googleplus-sign-in" src="https://public-api.wordpress.com/connect/?googleplus-sign-in=https%3A%2F%2Frighteousit.wordpress.com&#038;color_scheme=light" width="24" height="24" scrolling="no" allowtransparency="true" seamless="seamless" frameborder="0"></iframe>
			</li>
			<li>
				<a href="#comment-form-load-service:Twitter" id="postas-twitter" class="nascar-signin-link"
                   title="Login via Twitter">
					<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#1DA1F2" d="M22.23 5.924c-.736.326-1.527.547-2.357.646.847-.508 1.498-1.312 1.804-2.27-.793.47-1.67.812-2.606.996C18.325 4.498 17.258 4 16.078 4c-2.266 0-4.103 1.837-4.103 4.103 0 .322.036.635.106.935-3.41-.17-6.433-1.804-8.457-4.287-.353.607-.556 1.312-.556 2.064 0 1.424.724 2.68 1.825 3.415-.673-.022-1.305-.207-1.86-.514v.052c0 1.988 1.415 3.647 3.293 4.023-.344.095-.707.145-1.08.145-.265 0-.522-.026-.773-.074.522 1.63 2.038 2.817 3.833 2.85-1.404 1.1-3.174 1.757-5.096 1.757-.332 0-.66-.02-.98-.057 1.816 1.164 3.973 1.843 6.29 1.843 7.547 0 11.675-6.252 11.675-11.675 0-.178-.004-.355-.012-.53.802-.578 1.497-1.3 2.047-2.124z"/></g></svg>				</a>
			</li>
			<li>
				<a href="#comment-form-load-service:Facebook" id="postas-facebook" class="nascar-signin-link"
                   title="Login via Facebook">
					<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#3B5998" d="M20.007 3H3.993C3.445 3 3 3.445 3 3.993v16.013c0 .55.445.994.993.994h8.62v-6.97H10.27V11.31h2.346V9.31c0-2.325 1.42-3.59 3.494-3.59.993 0 1.847.073 2.096.106v2.43h-1.438c-1.128 0-1.346.537-1.346 1.324v1.734h2.69l-.35 2.717h-2.34V21h4.587c.548 0 .993-.445.993-.993V3.993c0-.548-.445-.993-.993-.993z"/></g></svg>				</a>
			</li>
		</ul>
	</div>

	<div id="comment-form-guest" class="comment-form-service selected">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
<a href="https://gravatar.com/site/signup/" target="_blank">				<img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25" alt="Gravatar" width="25" class="no-grav" />
</a>			</div>

				<div class="comment-form-fields">
				<div class="comment-form-field comment-form-email">
					<label for="email">Email <span class="required">(required)</span> <span class="nopublish">(Address never made public)</span></label>
					<div class="comment-form-input"><input id="email" name="email" type="email" value="" /></div>
				</div>
				<div class="comment-form-field comment-form-author">
					<label for="author">Name <span class="required">(required)</span></label>
					<div class="comment-form-input"><input id="author" name="author" type="text" value="" /></div>
				</div>
				<div class="comment-form-field comment-form-url">
					<label for="url">Website</label>
					<div class="comment-form-input"><input id="url" name="url" type="url" value="" /></div>
				</div>
			</div>
			
		</div>
	</div>

	<div id="comment-form-wordpress" class="comment-form-service">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
				<img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25" alt="WordPress.com Logo" width="25" class="no-grav" />
			</div>

				<div class="comment-form-fields">
				<input type="hidden" name="wp_avatar" id="wordpress-avatar" class="comment-meta-wordpress" value="" />
				<input type="hidden" name="wp_user_id" id="wordpress-user_id" class="comment-meta-wordpress" value="" />
				<input type="hidden" name="wp_access_token" id="wordpress-access_token" class="comment-meta-wordpress" value="" />
						<p class="comment-form-posting-as pa-wordpress">
			<strong></strong>
			You are commenting using your WordPress.com account.			<span class="comment-form-log-out">
				(&nbsp;<a href="javascript:HighlanderComments.doExternalLogout( 'wordpress' );">Log&nbsp;Out</a>&nbsp;/&nbsp;
				<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a>&nbsp;)
			</span>
			<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#0087be" d="M12.158 12.786l-2.698 7.84c.806.236 1.657.365 2.54.365 1.047 0 2.05-.18 2.986-.51-.024-.037-.046-.078-.065-.123l-2.762-7.57zM3.008 12c0 3.56 2.07 6.634 5.068 8.092L3.788 8.342c-.5 1.117-.78 2.354-.78 3.658zm15.06-.454c0-1.112-.398-1.88-.74-2.48-.456-.74-.883-1.368-.883-2.11 0-.825.627-1.595 1.51-1.595.04 0 .078.006.116.008-1.598-1.464-3.73-2.36-6.07-2.36-3.14 0-5.904 1.613-7.512 4.053.21.008.41.012.58.012.94 0 2.395-.114 2.395-.114.484-.028.54.684.057.74 0 0-.487.058-1.03.086l3.275 9.74 1.968-5.902-1.4-3.838c-.485-.028-.944-.085-.944-.085-.486-.03-.43-.77.056-.742 0 0 1.484.114 2.368.114.94 0 2.397-.114 2.397-.114.486-.028.543.684.058.74 0 0-.488.058-1.03.086l3.25 9.665.897-2.997c.456-1.17.684-2.137.684-2.907zm1.82-3.86c.04.286.06.593.06.924 0 .912-.17 1.938-.683 3.22l-2.746 7.94c2.672-1.558 4.47-4.454 4.47-7.77 0-1.564-.4-3.033-1.1-4.314zM12 22C6.486 22 2 17.514 2 12S6.486 2 12 2s10 4.486 10 10-4.486 10-10 10z"/></g></svg></span>
		</p>
					</div>
	
		</div>
	</div>

	<div id="comment-form-googleplus" class="comment-form-service">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
				<img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25" alt="Google photo" width="25" class="no-grav" />
			</div>

				<div class="comment-form-fields">
				<input type="hidden" name="googleplus_avatar" id="googleplus-avatar" class="comment-meta-googleplus" value="" />
				<input type="hidden" name="googleplus_user_id" id="googleplus-user_id" class="comment-meta-googleplus" value="" />
				<input type="hidden" name="googleplus_access_token" id="googleplus-access_token" class="comment-meta-googleplus" value="" />
						<p class="comment-form-posting-as pa-googleplus">
			<strong></strong>
			You are commenting using your Google account.			<span class="comment-form-log-out">
				(&nbsp;<a href="javascript:HighlanderComments.doExternalLogout( 'googleplus' );">Log&nbsp;Out</a>&nbsp;/&nbsp;
				<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a>&nbsp;)
			</span>
			<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" x="0px" y="0px" viewBox="0 0 60 60" ><path fill="#519bf7" d="M56.3,30c0,-1.6 -0.2,-3.4 -0.6,-5h-3.1H42.2H30v10.6h14.8C44,39.3 42,42 39.1,43.9l8.8,6.8C53,46 56.3,39 56.3,30z" /><path fill="#3db366" d="M30,57.5c6.7,0 13.1,-2.4 17.9,-6.8l-8.8,-6.8c-2.5,1.6 -5.6,2.4 -9.1,2.4c-7.2,0 -13.3,-4.7 -15.4,-11.2l-9.3,7.1C9.8,51.3 19.1,57.5 30,57.5z" /><path fill="#fdc600" d="M5.3,42.2l9.3,-7.1c-0.5,-1.6 -0.8,-3.3 -0.8,-5.1s0.3,-3.5 0.8,-5.1l-9.3,-7.1C3.5,21.5 2.5,25.6 2.5,30S3.5,38.5 5.3,42.2z" /><path fill="#f15b44" d="M40.1,17.4l8,-8C43.3,5.1 37,2.5 30,2.5C19.1,2.5 9.8,8.7 5.3,17.8l9.3,7.1c2.1,-6.5 8.2,-11.1 15.4,-11.1C33.9,13.7 37.4,15.1 40.1,17.4z" /></svg></span>
		</p>
					</div>
	
		</div>
	</div>

	<div id="comment-form-twitter" class="comment-form-service">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
				<img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25" alt="Twitter picture" width="25" class="no-grav" />
			</div>

				<div class="comment-form-fields">
				<input type="hidden" name="twitter_avatar" id="twitter-avatar" class="comment-meta-twitter" value="" />
				<input type="hidden" name="twitter_user_id" id="twitter-user_id" class="comment-meta-twitter" value="" />
				<input type="hidden" name="twitter_access_token" id="twitter-access_token" class="comment-meta-twitter" value="" />
						<p class="comment-form-posting-as pa-twitter">
			<strong></strong>
			You are commenting using your Twitter account.			<span class="comment-form-log-out">
				(&nbsp;<a href="javascript:HighlanderComments.doExternalLogout( 'twitter' );">Log&nbsp;Out</a>&nbsp;/&nbsp;
				<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a>&nbsp;)
			</span>
			<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#1DA1F2" d="M22.23 5.924c-.736.326-1.527.547-2.357.646.847-.508 1.498-1.312 1.804-2.27-.793.47-1.67.812-2.606.996C18.325 4.498 17.258 4 16.078 4c-2.266 0-4.103 1.837-4.103 4.103 0 .322.036.635.106.935-3.41-.17-6.433-1.804-8.457-4.287-.353.607-.556 1.312-.556 2.064 0 1.424.724 2.68 1.825 3.415-.673-.022-1.305-.207-1.86-.514v.052c0 1.988 1.415 3.647 3.293 4.023-.344.095-.707.145-1.08.145-.265 0-.522-.026-.773-.074.522 1.63 2.038 2.817 3.833 2.85-1.404 1.1-3.174 1.757-5.096 1.757-.332 0-.66-.02-.98-.057 1.816 1.164 3.973 1.843 6.29 1.843 7.547 0 11.675-6.252 11.675-11.675 0-.178-.004-.355-.012-.53.802-.578 1.497-1.3 2.047-2.124z"/></g></svg></span>
		</p>
					</div>
	
		</div>
	</div>

	<div id="comment-form-facebook" class="comment-form-service">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
				<img src="" alt="Facebook photo" width="25" class="no-grav" />
			</div>

				<div class="comment-form-fields">
				<input type="hidden" name="fb_avatar" id="facebook-avatar" class="comment-meta-facebook" value="" />
				<input type="hidden" name="fb_user_id" id="facebook-user_id" class="comment-meta-facebook" value="" />
				<input type="hidden" name="fb_access_token" id="facebook-access_token" class="comment-meta-facebook" value="" />
						<p class="comment-form-posting-as pa-facebook">
			<strong></strong>
			You are commenting using your Facebook account.			<span class="comment-form-log-out">
				(&nbsp;<a href="javascript:HighlanderComments.doExternalLogout( 'facebook' );">Log&nbsp;Out</a>&nbsp;/&nbsp;
				<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a>&nbsp;)
			</span>
			<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#3B5998" d="M20.007 3H3.993C3.445 3 3 3.445 3 3.993v16.013c0 .55.445.994.993.994h8.62v-6.97H10.27V11.31h2.346V9.31c0-2.325 1.42-3.59 3.494-3.59.993 0 1.847.073 2.096.106v2.43h-1.438c-1.128 0-1.346.537-1.346 1.324v1.734h2.69l-.35 2.717h-2.34V21h4.587c.548 0 .993-.445.993-.993V3.993c0-.548-.445-.993-.993-.993z"/></g></svg></span>
		</p>
					</div>
	
		</div>
	</div>


	<div id="comment-form-load-service" class="comment-form-service">
		<div class="comment-form-posting-as-cancel"><a href="javascript:HighlanderComments.cancelExternalWindow();">Cancel</a></div>
		<p>Connecting to %s</p>
	</div>

</div>

<script type="text/javascript">
var highlander_expando_javascript = function () {

	function hide( sel ) {
		var el = document.querySelector( sel );
		if ( el ) {
			el.style.setProperty( 'display', 'none' );
		}
	}

	function show( sel ) {
		var el = document.querySelector( sel );
		if ( el ) {
			el.style.removeProperty( 'display' );
		}
	}

	var input = document.createElement( 'input' );
	var comment = document.querySelector( '#comment' );

	if ( input && comment && 'placeholder' in input ) {
		var label = document.querySelector( '.comment-textarea label' );
		if ( label ) {
			var text = label.textContent;
			label.parentNode.removeChild( label );
			comment.setAttribute( 'placeholder', text );
		}
	}

	// Expando Mode: start small, then auto-resize on first click + text length
	hide( '#comment-form-identity' );
	hide( '#comment-form-subscribe' );
	hide( '#commentform .form-submit' );

	if ( comment ) {
		comment.style.height = '10px';

		var handler = function () {
			comment.style.height = HighlanderComments.initialHeight + 'px';
			show( '#comment-form-identity' );
			show( '#comment-form-subscribe' );
			show( '#commentform .form-submit' );
			HighlanderComments.resizeCallback();

			comment.removeEventListener( 'focus', handler );
		};

		comment.addEventListener( 'focus', handler );
	}
}

if ( document.readyState !== 'loading' ) {
	highlander_expando_javascript();
} else {
	if ( typeof window.jQuery === 'function' ) {
		// Use jQuery's `ready` if available.
		// This solves some scheduling issues between this script and the main highlander script.
		jQuery( document ).ready( highlander_expando_javascript );
	} else {
		// If not available, add a vanilla event listener.
		document.addEventListener( 'DOMContentLoaded', highlander_expando_javascript );
	}
}

</script>

<div id="comment-form-subscribe">
	<p class="comment-subscription-form"><input type="checkbox" name="subscribe" id="subscribe" value="subscribe" style="width: auto;"/> <label class="subscribe-label" id="subscribe-label" for="subscribe" style="display: inline;">Notify me of new comments via email.</label></p><p class="post-subscription-form"><input type="checkbox" name="subscribe_blog" id="subscribe_blog" value="subscribe" style="width: auto;"/> <label class="subscribe-label" id="subscribe-blog-label" for="subscribe_blog"  style="display: inline;">Notify me of new posts via email.</label></p></div>




<p class="form-submit"><input name="submit" type="submit" id="comment-submit" class="submit" value="Post Comment" /> <input type='hidden' name='comment_post_ID' value='466' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
</p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="305b160c80" /></p>
<input type="hidden" name="genseq" value="1640306154" />
<p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="167"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form>	</div><!-- #respond -->
	<div style="clear: both"></div>
</div><!-- #comments -->

		
		</main><!-- #main -->
	</div><!-- #primary -->


		</div><!-- #content -->

		<footer id="colophon" class="site-footer" role="contentinfo">
			
			<div class="site-info">
				<a href="https://wordpress.com/?ref=footer_website" rel="nofollow">Create a free website or blog at WordPress.com.</a>
				
							</div><!-- .site-info -->
		</footer><!-- #colophon -->
	</div><!-- #page -->
</div><!-- .site-wrapper -->

<!--  -->
<script src='//0.gravatar.com/js/gprofiles.js?ver=202151y' id='grofiles-cards-js'></script>
<script id='wpgroho-js-extra'>
var WPGroHo = {"my_hash":""};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1610363240h'></script>

	<script>
		// Initialize and attach hovercards to all gravatars
		( function() {
			function init() {
				if ( typeof Gravatar === 'undefined' ) {
					return;
				}

				if ( typeof Gravatar.init !== 'function' ) {
					return;
				}

				Gravatar.profile_cb = function ( hash, id ) {
					WPGroHo.syncProfileData( hash, id );
				};

				Gravatar.my_hash = WPGroHo.my_hash;
				Gravatar.init( 'body', '#wp-admin-bar-my-account' );
			}

			if ( document.readyState !== 'loading' ) {
				init();
			} else {
				document.addEventListener( 'DOMContentLoaded', init );
			}
		} )();
	</script>

		<div style="display:none">
	<div class="grofile-hash-map-7f07475b144c99087d9684285559d8b8">
	</div>
	</div>
<script id='highlander-comments-js-extra'>
var HighlanderComments = {"loggingInText":"Logging In\u2026","submittingText":"Posting Comment\u2026","postCommentText":"Post Comment","connectingToText":"Connecting to %s","commentingAsText":"%1$s: You are commenting using your %2$s account.","logoutText":"Log Out","loginText":"Log In","connectURL":"https:\/\/righteousit.wordpress.com\/public.api\/connect\/?action=request","logoutURL":"https:\/\/righteousit.wordpress.com\/wp-login.php?action=logout&_wpnonce=5dd0849f72","homeURL":"https:\/\/righteousit.wordpress.com\/","postID":"466","gravDefault":"mystery","enterACommentError":"Please enter a comment","enterEmailError":"Please enter your email address here","invalidEmailError":"Invalid email address","enterAuthorError":"Please enter your name here","gravatarFromEmail":"This picture will show whenever you leave a comment. Click to customize it.","logInToExternalAccount":"Log in to use details from one of these accounts.","change":"Change","changeAccount":"Change Account","comment_registration":"","userIsLoggedIn":"","isJetpack":"","text_direction":"ltr"};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s0.wp.com/_static/??/wp-content/js/jquery/jquery.autoresize.js,/wp-content/js/postmessage.js,/wp-content/mu-plugins/highlander-comments/script.js?m=1638479145j'></script>
		<!-- CCPA [start] -->
		<script type="text/javascript">
			( function () {

				var setupPrivacy = function() {

					// Minimal Mozilla Cookie library
					// https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie/Simple_document.cookie_framework
					var cookieLib = window.cookieLib = {getItem:function(e){return e&&decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*"+encodeURIComponent(e).replace(/[\-\.\+\*]/g,"\\$&")+"\\s*\\=\\s*([^;]*).*$)|^.*$"),"$1"))||null},setItem:function(e,o,n,t,r,i){if(!e||/^(?:expires|max\-age|path|domain|secure)$/i.test(e))return!1;var c="";if(n)switch(n.constructor){case Number:c=n===1/0?"; expires=Fri, 31 Dec 9999 23:59:59 GMT":"; max-age="+n;break;case String:c="; expires="+n;break;case Date:c="; expires="+n.toUTCString()}return"rootDomain"!==r&&".rootDomain"!==r||(r=(".rootDomain"===r?".":"")+document.location.hostname.split(".").slice(-2).join(".")),document.cookie=encodeURIComponent(e)+"="+encodeURIComponent(o)+c+(r?"; domain="+r:"")+(t?"; path="+t:"")+(i?"; secure":""),!0}};

					// Implement IAB USP API.
					window.__uspapi = function( command, version, callback ) {

						// Validate callback.
						if ( typeof callback !== 'function' ) {
							return;
						}

						// Validate the given command.
						if ( command !== 'getUSPData' || version !== 1 ) {
							callback( null, false );
							return;
						}

						// Check for GPC. If set, override any stored cookie.
						if ( navigator.globalPrivacyControl ) {
							callback( { version: 1, uspString: '1YYN' }, true );
							return;
						}

						// Check for cookie.
						var consent = cookieLib.getItem( 'usprivacy' );

						// Invalid cookie.
						if ( null === consent ) {
							callback( null, false );
							return;
						}

						// Everything checks out. Fire the provided callback with the consent data.
						callback( { version: 1, uspString: consent }, true );
					};

					// Initialization.
					document.addEventListener( 'DOMContentLoaded', function() {

						// Internal functions.
						var setDefaultOptInCookie = function() {
							var value = '1YNN';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 365 * 24 * 60 * 60, '/', domain );
						};

						var setDefaultOptOutCookie = function() {
							var value = '1YYN';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 24 * 60 * 60, '/', domain );
						};

						var setDefaultNotApplicableCookie = function() {
							var value = '1---';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 24 * 60 * 60, '/', domain );
						};

						var setCcpaAppliesCookie = function( applies ) {
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'ccpa_applies', applies, 24 * 60 * 60, '/', domain );
						}

						var maybeCallDoNotSellCallback = function() {
							if ( 'function' === typeof window.doNotSellCallback ) {
								return window.doNotSellCallback();
							}

							return false;
						}

						// Look for usprivacy cookie first.
						var usprivacyCookie = cookieLib.getItem( 'usprivacy' );

						// Found a usprivacy cookie.
						if ( null !== usprivacyCookie ) {

							// If the cookie indicates that CCPA does not apply, then bail.
							if ( '1---' === usprivacyCookie ) {
								return;
							}

							// CCPA applies, so call our callback to add Do Not Sell link to the page.
							maybeCallDoNotSellCallback();

							// We're all done, no more processing needed.
							return;
						}

						// We don't have a usprivacy cookie, so check to see if we have a CCPA applies cookie.
						var ccpaCookie = cookieLib.getItem( 'ccpa_applies' );

						// No CCPA applies cookie found, so we'll need to geolocate if this visitor is from California.
						// This needs to happen client side because we do not have region geo data in our $SERVER headers,
						// only country data -- therefore we can't vary cache on the region.
						if ( null === ccpaCookie ) {

							var request = new XMLHttpRequest();
							request.open( 'GET', 'https://public-api.wordpress.com/geo/', true );

							request.onreadystatechange = function () {
								if ( 4 === this.readyState ) {
									if ( 200 === this.status ) {

										// Got a geo response. Parse out the region data.
										var data = JSON.parse( this.response );
										var ccpa_applies = data['region'] && data['region'].toLowerCase() === 'california';

										// Set CCPA applies cookie. This keeps us from having to make a geo request too frequently.
										setCcpaAppliesCookie( ccpa_applies );

										// Check if CCPA applies to set the proper usprivacy cookie.
										if ( ccpa_applies ) {
											if ( maybeCallDoNotSellCallback() ) {
												// Do Not Sell link added, so set default opt-in.
												setDefaultOptInCookie();
											} else {
												// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
												setDefaultOptOutCookie();
											}
										} else {
											// CCPA does not apply.
											setDefaultNotApplicableCookie();
										}
									} else {
										// Could not geo, so let's assume for now that CCPA applies to be safe.
										setCcpaAppliesCookie( true );
										if ( maybeCallDoNotSellCallback() ) {
											// Do Not Sell link added, so set default opt-in.
											setDefaultOptInCookie();
										} else {
											// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
											setDefaultOptOutCookie();
										}
									}
								}
							};

							// Send the geo request.
							request.send();
						} else {
							// We found a CCPA applies cookie.
							if ( ccpaCookie === 'true' ) {
								if ( maybeCallDoNotSellCallback() ) {
									// Do Not Sell link added, so set default opt-in.
									setDefaultOptInCookie();
								} else {
									// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
									setDefaultOptOutCookie();
								}
							} else {
								// CCPA does not apply.
								setDefaultNotApplicableCookie();
							}
						}
					} );
				};

				// Kickoff initialization.
				if ( window.defQueue && defQueue.isLOHP && defQueue.isLOHP === 2020 ) {
					defQueue.items.push( setupPrivacy );
				} else {
					setupPrivacy();
				}

			} )();
		</script>

		<!-- CCPA [end] -->
					<script type="text/javascript">
			( function( $ ) {
				$( document.body ).on( 'post-load', function () {
					if ( typeof __ATA.insertInlineAds === 'function' ) {
						__ATA.insertInlineAds();
					}
				} );
			} )( jQuery );
			</script>	<div id="actionbar" style="display: none;"
			class="actnbr-pub-libre-2 actnbr-has-follow">
		<ul>
								<li class="actnbr-btn actnbr-hidden">
								<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
							<div class="actnbr-popover tip tip-top-left actnbr-notice" id="follow-bubble">
							<div class="tip-arrow"></div>
							<div class="tip-inner actnbr-follow-bubble">
															<ul>
											<li class="actnbr-sitename">
			<a href="https://righteousit.wordpress.com">
				<img alt='' src='https://s2.wp.com/i/logo/wpcom-gray-white.png' class='avatar avatar-50' height='50' width='50' />				Righteous IT			</a>
		</li>
										<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
																						<div class="actnbr-follow-count">Join 33 other followers</div>
																					<div>
										<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address" />
										</div>
										<input type="hidden" name="action" value="subscribe" />
										<input type="hidden" name="blog_id" value="6525939" />
										<input type="hidden" name="source" value="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/" />
										<input type="hidden" name="sub-type" value="actionbar-follow" />
										<input type="hidden" id="_wpnonce" name="_wpnonce" value="7b5811b4e7" />										<div class="actnbr-button-wrap">
											<button type="submit" value="Sign me up">
												Sign me up											</button>
										</div>
									</form>
									<li class="actnbr-login-nudge">
										<div>
											Already have a WordPress.com account? <a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F20%2Fhudaks-honeypot-part-1%2F&#038;signup_flow=account">Log in now.</a>										</div>
									</li>
								</ul>
															</div>
						</div>
					</li>
							<li class="actnbr-ellipsis actnbr-hidden">
				<svg class="gridicon gridicons-ellipsis" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M7 12c0 1.104-.896 2-2 2s-2-.896-2-2 .896-2 2-2 2 .896 2 2zm12-2c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2zm-7 0c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2z"/></g></svg>				<div class="actnbr-popover tip tip-top-left actnbr-more">
					<div class="tip-arrow"></div>
					<div class="tip-inner">
						<ul>
									<li class="actnbr-sitename">
			<a href="https://righteousit.wordpress.com">
				<img alt='' src='https://s2.wp.com/i/logo/wpcom-gray-white.png' class='avatar avatar-50' height='50' width='50' />				Righteous IT			</a>
		</li>
								<li class="actnbr-folded-customize">
								<a href="https://righteousit.wordpress.com/wp-admin/customize.php?url=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F20%2Fhudaks-honeypot-part-1%2F">
									<svg class="gridicon gridicons-customize" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M2 6c0-1.505.78-3.08 2-4 0 .845.69 2 2 2 1.657 0 3 1.343 3 3 0 .386-.08.752-.212 1.09.74.594 1.476 1.19 2.19 1.81L8.9 11.98c-.62-.716-1.214-1.454-1.807-2.192C6.753 9.92 6.387 10 6 10c-2.21 0-4-1.79-4-4zm12.152 6.848l1.34-1.34c.607.304 1.283.492 2.008.492 2.485 0 4.5-2.015 4.5-4.5 0-.725-.188-1.4-.493-2.007L18 9l-2-2 3.507-3.507C18.9 3.188 18.225 3 17.5 3 15.015 3 13 5.015 13 7.5c0 .725.188 1.4.493 2.007L3 20l2 2 6.848-6.848c1.885 1.928 3.874 3.753 5.977 5.45l1.425 1.148 1.5-1.5-1.15-1.425c-1.695-2.103-3.52-4.092-5.448-5.977z"/></g></svg>									<span>Customize</span>
								</a>
							</li>
																<li class="actnbr-folded-follow">
												<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
										</li>
																	<li class="actnbr-signup"><a href="https://wordpress.com/start/">Sign up</a></li>
									<li class="actnbr-login"><a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F20%2Fhudaks-honeypot-part-1%2F&#038;signup_flow=account">Log in</a></li>
																	<li class="actnbr-shortlink"><a href="https://wp.me/prnH5-7w">Copy shortlink</a></li>
																	<li class="flb-report"><a href="http://en.wordpress.com/abuse/">Report this content</a></li>
																	<li class="actnbr-reader">
										<a href="https://wordpress.com/read/blogs/6525939/posts/466">
											View post in Reader										</a>
									</li>
																	<li class="actnbr-subs">
										<a href="https://subscribe.wordpress.com/">Manage subscriptions</a>
									</li>
																		<li class="actnbr-fold"><a href="">Collapse this bar</a></li>
															</ul>
					</div>
				</div>
			</li>
		</ul>
	</div>
	
<script>
window.addEventListener( "load", function( event ) {
	var link = document.createElement( "link" );
	link.href = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.css?v=20210915";
	link.type = "text/css";
	link.rel = "stylesheet";
	document.head.appendChild( link );

	var script = document.createElement( "script" );
	script.src = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.js?v=20211028";
	script.defer = true;
	document.body.appendChild( script );
} );
</script>

	
	<script type="text/javascript">
		window.WPCOM_sharing_counts = {"https:\/\/righteousit.wordpress.com\/2021\/12\/20\/hudaks-honeypot-part-1\/":466};
	</script>
				<script id='libre-2-script-js-extra'>
var libreadminbar = [""];
</script>
<script id='sharing-js-js-extra'>
var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s0.wp.com/_static/??-eJyNj9FuwjAMRX9objSQYDwgvsVJ3NZt4mRxAvv8hU1MiEmIJ9vyuUe65pLBJakk1SxqPJ3ZUf4aFn0zd6/YIIc2sagJvJKaz0aNZhQfqDzCdabYkdxsh20h2FzVP+trqOCZJ6yc5DVeV84QWFYYk2sKI/8rYEOa/ipcUvHoFVxA1a7rChfzYNu1zpPq6CMLWCwmolYqfYNa0K16C7G40Pyvsp8ULfmhh55Ic9IKY0AuRmcsLNNt9tApHt9328N+u998HJZvx82d4Q=='></script>
<script type='text/javascript'>
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-twitter' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' );
						return false;
					}
				} );
			} )();
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-facebook' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' );
						return false;
					}
				} );
			} )();
</script>
<script type="text/javascript">
// <![CDATA[
(function() {
try{
  if ( window.external &&'msIsSiteMode' in window.external) {
    if (window.external.msIsSiteMode()) {
      var jl = document.createElement('script');
      jl.type='text/javascript';
      jl.async=true;
      jl.src='/wp-content/plugins/ie-sitemode/custom-jumplist.php';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(jl, s);
    }
  }
}catch(e){}
})();
// ]]>
</script>	<iframe src='https://widgets.wp.com/likes/master.html?ver=20211208#ver=20211208&amp;origin=https://righteousit.wordpress.com' scrolling='no' id='likes-master' name='likes-master' style='display:none;'></iframe>
	<div id='likes-other-gravatars'>
		<div class="likes-text">
			<span>%d</span> bloggers like this:		</div>
		<ul class="wpl-avatars sd-like-gravatars"></ul>
	</div>

		<script src="//stats.wp.com/w.js?63" defer></script> <script type="text/javascript">
_tkq = window._tkq || [];
_stq = window._stq || [];
_tkq.push(['storeContext', {'blog_id':'6525939','blog_tz':'-7','user_lang':'en','blog_lang':'en','user_id':'0'}]);
_stq.push(['view', {'blog':'6525939','v':'wpcom','tz':'-7','user_id':'0','post':'466','subd':'righteousit'}]);
_stq.push(['extra', {'crypt':'UE5XaGUuOTlwaD85flAmcm1mcmZsaDhkV11YdWFnNncxc1tjZG9XVXhRaGp+TjRjdF9qRytURmxYWFJHLX54ek1OVlpUMWo2YmgwRU50RTIrPUYmSGJiMXhfT2h6aHRqU3dseGF2Z3Aldm83QVt1XTlMaFNSczVFcGI5eUNxaD02emowTkhReWM4ZUFYM2ZnR0dkZE5pR1V+cVd3ajUuPVlTTmN2ZDNvP3dIUjZdYjhRcDY5NjVicXxDVFhiTTBjflZpRitHc3AmUUMvKzRhNixvOCw0V0V1P2ttaUJScy15LTRbOHlmUFVM'}]);
_stq.push([ 'clickTrackerInit', '6525939', '466' ]);
	</script>
<noscript><img src="https://pixel.wp.com/b.gif?v=noscript" style="height:1px;width:1px;overflow:hidden;position:absolute;bottom:1px;" alt="" /></noscript>
<script>
if ( 'object' === typeof wpcom_mobile_user_agent_info ) {

	wpcom_mobile_user_agent_info.init();
	var mobileStatsQueryString = "";
	
	if( false !== wpcom_mobile_user_agent_info.matchedPlatformName )
		mobileStatsQueryString += "&x_" + 'mobile_platforms' + '=' + wpcom_mobile_user_agent_info.matchedPlatformName;
	
	if( false !== wpcom_mobile_user_agent_info.matchedUserAgentName )
		mobileStatsQueryString += "&x_" + 'mobile_devices' + '=' + wpcom_mobile_user_agent_info.matchedUserAgentName;
	
	if( wpcom_mobile_user_agent_info.isIPad() )
		mobileStatsQueryString += "&x_" + 'ipad_views' + '=' + 'views';

	if( "" != mobileStatsQueryString ) {
		new Image().src = document.location.protocol + '//pixel.wp.com/g.gif?v=wpcom-no-pv' + mobileStatsQueryString + '&baba=' + Math.random();
	}
	
}
</script>
</body>
</html>
